1. Field of the Invention
The present invention relates to an expiration time authentication system, an expiration time authentication device, and an expiration time authentication method for applications and, in particular, is suitable for use in an expiration time authentication system that performs authentication of expiration time of an application downloaded and installed from a server into a terminal device.
2. Description of the Related Art
In recent years, mobile terminals called smartphones have become prevalent. Smartphones are a mobile terminal in which the function of a mobile phone and the function of a personal digital assistant (PDA) are merged together. A smartphones has not only the capability to perform a telephone call function but also has the capability to perform the function of executing various kinds of applications, at which a PDA is good at. In smartphones, by downloading and installing a desired application (hereinafter, referred to as a smartphone application) from a server on the Internet, it is possible for a user to execute the smartphone application anytime and anywhere at a time of the user's choosing.
Among smartphone applications, there are smartphone applications whose expiration time is set to define an available time period. When using a smartphone application whose expiration time is set, it is necessary to be subjected to authentication. In general, it is necessary to cause a server to store therein user information including an expiration time, and cause a smartphone to connect to the server every time a user uses a smartphone application or as frequently as, for example, once a day in order to be subjected to authentication. When a smartphone is not able to be subjected to authentication, it becomes difficult to use the smartphone application or an available function of the application may be restricted.
Further, in a system in which a smartphone connects to a server and is subjected to authentication, while it is possible to strictly manage the expiration time, there has been the following problem. Specifically, in a case where, owing to a communication error, communication line congestion, or the like, it is difficult for the smartphone to connect to the server, it is difficult to subject the smartphone to authentication even if the smartphone intends to be subject to authentication. In particular, in third-world countries whose infrastructures are less developed, it may frequently be difficult to subject a smartphone to authentication. In this case, there has been a problem that it becomes difficult to use an installed smartphone application.
As a method for solving this problem, it is conceivable that, after downloading and installing a smartphone application from a server onto a smartphone, authentication is performed, without the smartphone being required to access the server, using an authentication function of managing expiration time, the authentication function being held in the smartphone application itself. In the past, there have been proposed several systems in each of which authentication is performed on a client side in a case where it is difficult to be subjected to authentication in a server (see, for example, Japanese Unexamined Patent Application Publication No. 2003-296276, Japanese Patent No. 4313425, and Japanese Patent No. 5138460).
In a computer network system described in Japanese Unexamined Patent Application Publication No. 2003-296276, when a client computer attempts to access a server computer and perform client authentication but the server computer is in an inoperative state or it is difficult to access the server computer for authentication, the client computer performs the client authentication, based on a client user name and a password, received from the server computer for authentication and stored in a storage unit.
In addition, in a network system described in Japanese Patent No. 4313425, in a case where a communication error occurs in communication with an authentication server during authentication, if authentication result history information stored in a memory is read and it is determined that a successful authentication was sent back in response to transmitting an authentication request to the authentication server, processing is executed under the assumption that authentication processing succeeds.
In Japanese Unexamined Patent Application Publication No. 2003-296276 or Japanese Patent No. 4313425, described above, authentication of expiration time relating to the usage of an application is not performed. In contrast, in an information processing service execution system described in Japanese Patent No. 5138460, as a general rule, a user PC connects to a server and authentication of expiration time is performed in an online state. On the other hand, in a case of an offline state of not connecting to a network, authentication of expiration time is performed using a tamper-resistant device such as an IC card attached to the user PC.
Specifically, the tamper-resistant device stores therein offline authentication data including a number of authentications performed in the offline state and a final date of authentication performed in an online state, and user information including a presence or absence of dues payment and expiration time. In addition to this, the tamper-resistant device stores therein in advance, authentication condition data including the number of authentication processing that is to be performed in an offline state and an available time period for authentication from the final date of authentication in the online state. In addition, in a case where the tamper-resistant device is instructed to perform user authentication by the user PC, an application is permitted to be used in the user PC, if at least one of two following authentication conditions is satisfied: a condition in which the number of authentication processing in an offline state is less than or equal to the predetermined number in the offline state, and a day when being subjected to authentication falls within the available-for-authentication time period from the final date of authentication performed in an online state; and a condition in which the user information indicates that dues are paid, and a day when being subjected to authentication is before the expiration time.
In an authentication method for the expiration time, described in Japanese Patent No. 5138460, authentication in an offline state between the user PC and the tamper-resistant device is performed based on a clock embedded in the user PC. The same applies to a case where an authentication function for managing expiration time is performed, the function being held in an application installed in a terminal device such as a smartphone. This authentication is also performed based on a clock embedded in the terminal device. However, in these cases, there is a possibility that a user performs an operation such as turning back of the internal clock in the terminal device, thereby fraudulently passing the authentication of the expiration time.